Previously thought limited to Apple and Google browsers, the flaw leaves communications between affected users and websites open to interception.
Apple and Google working on fixes for the decade-old flaw, which researchers blamed on an abandoned US policy on encryption.
By not properly vetting the Superfish adware, Lenovo became the most recent unwitting example of broken links in the software supply chain.
Researchers with Google's Project Zero security team say they've found three flaws with high severity that have yet to be patched.
The preloaded Superfish adware does more than hijack website ads in a browser. It also exposes Lenovo owners to a simple but dangerous hack that could spell disaster.
A security audit earlier this year showed gaps in the way the movie studio monitored its computer systems, according to a Recode report.
The company said previously that the vast majority of Macs were "safe by default" from the new security vulnerability known as the Bash or Shellshock bug.
The fingerprint reader on the iPhone 6 can be fooled by the same trick that unlocks the iPhone 5S -- but it didn't have to be that way.
Consumers and attorneys are already looking to the legal system for recourse following revelations that Lenovo installed potentially dangerous software on its PCs.
Yes, it seems US and UK spy agencies tried to snoop on people's smartphones, the company says. But privacy and security harm to users is limited by Gemalto's own network security and newer encryption used on modern networks.